[19432] in cryptography@c2.net mail archive
Re: RNG quality verification
daemon@ATHENA.MIT.EDU (James A. Donald)
Tue Dec 27 16:59:58 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: "Travis H." <solinym@gmail.com>, cryptography@metzdowd.com,
Philipp Gühring <pg@futureware.at>
Date: Sat, 24 Dec 2005 15:48:42 -0800
In-reply-to: <200512222135.52355.pg@futureware.at>
--
From: Philipp Gühring
<pg@futureware.at>
> The problem is that I have to live with COTS
> (Common-off-the-shelf) software out there, that is
> generating the certificate requests. The only thing I
> can do is create a blacklist or a whitelist of known
> bad or known good software, to tell the users: Use
> this software, or don´t use that software.
Randomness is necessarily theory laden. To determine
what is good, and what is bad, you have to look inside
the software.
Software should get its randomness from dev/random, or
from similarly open sources of randomness, so that the
source of randomness can be inspected.
The general rule is that true randomness comes from
quantities that are known to be unknown - for example
the variation in disk read timing, which is affected by
turbulence, or the microphone input, which is inherently
noisy. You have to ask where these random numbers
ultimately come from.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
5i5rAiu+t+UqxlCHKBfiAn24UbuH1D2GsYrL3hv7
4q7w1mi+V9whucgThiyHnkPt0EkjS1oIAp9hQ1UKc
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
